CVE-2009-3898

Description

Directory traversal vulnerability in src/http/modules/ngx_http_dav_module.c in nginx (aka Engine X) before 0.7.63, and 0.8.x before 0.8.17, allows remote authenticated users to create or overwrite arbitrary files via a .. (dot dot) in the Destination HTTP header for the WebDAV (1) COPY or (2) MOVE method.

How to fix CVE-2009-3898

To remediate CVE-2009-3898, upgrade the affected package to a fixed version below.

• Debian/nginx—upgrade to 0.7.63-1 or later

Is CVE-2009-3898 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.7.63-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-3898